When deciding where an audit is needed most, we look at the volume of information the institution has, as well as information disclosure practices and risks. Of course, we take into account the number of complaints in an area and the nature of the personal information being collected, among other things. As I said, volume is a factor. All of that goes into selecting the organizations we feel are most at risk.
On April 27th, 2010. See this statement in context.